Gartner recently published its first ever Market Guide for Security Orchestration, Automation and Response Solutions, written by Claudio Neiva, Craig Lawson, Toby Bussa, and Gorka Sadowski (Gartner Market Guide for Security Orchestration, Automation and Response Solutions; Neiva, Lawson, Bussa & Sadowski, June 27, 2019). D3 is one of the vendors profiled in the guide. While the guide does not evaluate the vendors that are included, the authors do make recommendations, predictions, and analysis that are relevant to both vendors and prospective buyers. We like what the authors have to say on many topics in the guide and we broadly agree with the vision of SOAR that the guide presents.
In this article, we’ve highlighted Gartner’s findings on three topics that we found particularly interesting. To read the guide in its entirety, you can download the Gartner Market Guide here.
Regarding Independent Vendors
From the Market Guide’s Recommendation Section: “Put a contingency plan in place in the event the SOAR tool is acquired by another vendor. Acquisitions are occurring with some frequency as the market evolves. Buyers should be prepared.”
From the Market Guide’s Future of SOAR Section: “At the same time, SOAR products must be vendor-agnostic to maintain value due to integration. The reality will more likely be that for some time independent solutions will continue to do a better job with their singular focus on roadmap execution and better treatment of being “vendor neutral” with available integrations.”
D3 Comments: We were interested to see multiple mentions of the frequency of recent SOAR acquisitions in the guide. The value of independent vendors is something we feel very strongly about. D3 is 100% independent with no external investors. We think this gives us—and more importantly, our clients—several advantages. SOAR relies heavily on integrations, and we are able to remain completely agnostic to the security tools with which we integrate, which is not necessarily the case for SOAR tools that are owned by larger cybersecurity companies. There is also no risk of D3 SOAR being ‘scrapped for parts’, rolled into a SIEM tool, deprioritized by a parent company, or suffering any other outcome that would severely impact our ability to provide the best possible services in the long term.
Regarding Pricing Models
From the Market Guide’s SOAR Tool Advice Section: “Have a pricing cost that is aligned with the needs of the organization and that is predictable. Avoid pricing structures based on the volume of data managed by the tool or based on the number of playbooks run per month, as these metrics carry an automatic penalty for more frequent use of the solution.”
From the Market Guide’s Market Analysis Section: “Gartner clients have systematically expressed frustration with pricing models that are hard to predict. It is very hard on 1 January to know how many events will hit the SOAR, or how many actions/playbooks the SOAR will do for the whole year.”
D3 Comments: D3 has always had a per-user pricing model, which allows clients to easily predict their costs. Pricing based on actions or data volume strikes us as antithetical to the mission of a SOAR vendor, because those models disincentivize usage of the tool and pile on extra costs at the worst possible time: when a serious incident hits. We were encouraged to read that Gartner clients feel the same way we do about unpredictable pricing.
Regarding Configurability and Complexity
From the Market Guide’s SOAR Tool Advice Section: “Offer flexibility in the deployment and hosting of the solution — either in the cloud, on-premises or a hybrid of these — to accommodate organizations’ security policies and privacy considerations, or organizations’ cloud-first initiatives.”
From the Market Guide’s SOAR Tool Advice Section: “Optimize the collaboration of analysts in the SOC, for example, with a chat or IM framework that makes analysts’ communication more efficient, or with the ability to work together on complex cases.”
From the Market Guide’s Future of SOAR Section: “SOAR solutions with a broader scope of use cases will require role-based access control (RBAC) capabilities to allow segregation of duties as well as views of information.”
D3 Comments: We have always tried to make D3 SOAR the most configurable and broadly feature-rich platform on the market. This includes the ability to host the solution on-premises or in the cloud. D3 also offers deep case management capabilities, including collaborative tools and role-based access controls, both features that are mentioned or recommended in the guide. One of the things that sets D3 apart is the care we take in tailoring each deployment to the client’s exact needs, which is enabled by the configurability of our software.
SOAR Going Forward
SOAR has been the subject of several Gartner documents in the past, but getting its own market guide is a big step forward to recognizing SOAR’s impact on both security operations and the cyber security marketplace. We were glad to see that many of the areas we focus on were discussed thoroughly in the guide. In addition to what we’ve covered here, D3 is also pushing SOAR forward in other ways, such as by embedding the entire MITRE ATT&CK matrix in D3 SOAR to create ATTACKBOT, a live and contextual kill-chain-based response solution.
We recommend reading the entire market guide. You can download it here.
Source: Gartner, Market Guide for Security Orchestration, Automation and Response Solutions, Claudio Neiva, Craig Lawson, Toby Bussa, Gorka Sadowski, 27 June 2019.
Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.